The Art of Deception: Controlling the Human Element of Security
The Art of Deception: Controlling the Human Element of Security
Empirical Software Engineering
SecureUML: A UML-Based Modeling Language for Model-Driven Security
UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
Initial Industrial Experience of Misuse Cases in Trade-Off Analysis
RE '02 Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering
Using Abuse Case Models for Security Requirements Analysis
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
Security and Privacy Requirements Analysis within a Social Setting
RE '03 Proceedings of the 11th IEEE International Conference on Requirements Engineering
Eliciting security requirements with misuse cases
Requirements Engineering
Model-based security analysis in seven steps --- a guided tour to the CORAS method
BT Technology Journal
Engineering Safety and Security Related Requirements for Software Intensive Systems
ICSE COMPANION '07 Companion to the proceedings of the 29th International Conference on Software Engineering
Security Requirements Engineering: A Framework for Representation and Analysis
IEEE Transactions on Software Engineering
Alignment of Misuse Cases with Security Risk Management
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Using students as subjects - an empirical evaluation
Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement
CAiSE '08 Proceedings of the 20th international conference on Advanced Information Systems Engineering
Experimental comparison of attack trees and misuse cases for security threat identification
Information and Software Technology
A checklist for integrating student empirical studies with research and teaching goals
Empirical Software Engineering
Mal-activity diagrams for capturing attacks on business processes
REFSQ'07 Proceedings of the 13th international working conference on Requirements engineering: foundation for software quality
Experimental threat model reuse with misuse case diagrams
ICICS'10 Proceedings of the 12th international conference on Information and communications security
SP 800-30. Risk Management Guide for Information Technology Systems
SP 800-30. Risk Management Guide for Information Technology Systems
R&D: The art of social engineering
Infosecurity
Using SMCD to reduce inconsistencies in misuse case models: A subject-based empirical evaluation
Journal of Systems and Software
Hi-index | 0.00 |
Understanding the social engineering threat is important in requirements engineering for security-critical information systems. Mal-activity diagrams have been proposed as being better than misuse cases for this purpose, but without any empirical testing. The research question in this study is whether mal-activity diagrams would be more efficient than misuse cases for understanding social engineering attacks and finding prevention measures. After a conceptual comparison of the modelling techniques, a controlled experiment is presented, comparing the efficiency of using the two techniques together with textual descriptions of social engineering attacks. The results were fairly equal, the only significant difference being a slight advantage for mal-activity diagrams concerning perceived ease of use. The study gives new insights into the relative merits of the two techniques, and suggests that the advantage of mal-activity diagrams is smaller than previously assumed. However, more empirical investigations are needed to make detailed conclusions.